Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
0
Helpful
2
Replies

VACL not working

ns
Level 1
Level 1

‎04-28-2003 11:21 PM - edited ‎03-02-2019 06:59 AM

I'm trying to secure a VLAN using VACL on a 6509 CatOS 5.4(1) and it doesn't work. I have created a MAC ACL, based on the source host mac and ANY as the destination, example:

set security acl mac test permit host 00-01-02-03-04-05 any

There are 16 ACE's.

I have comitted the ACL and mapped it to a VLAN. As I understand all frames being forwarded in this VLAN will first be checked against the VACL and if theres a match it will be forwarded. But it doesn't work!! A port in the VLAN is connected to another switch and on that switch there are some clients that I want to have access and the rest needs to be denied access. WIth the above config I haven't put my notebook MAC and connecting it to the VLAN in the same VLAN I still have access... Which indicates that the VACL does not work. The VLAN is not routed with the MSFC. I need to use a MAC VACL because of tighter access control.

I haven't used port security because it doesn't support highavailability on redundant supervisors. And VACLs are supported with highavailability.

I have checked the release notes for newer versions and looked in the bug tool and I can't find any issues with MAC VACLs. I know that the CatOS version is quite old but unless there is a specific issue with VACLs or other we can survive on this version.

If you have any coments/advise please elaborate.

Thank you.

Labels:
0 Helpful
2 Replies 2

comm
Level 1
Level 1

‎04-29-2003 02:52 AM

See this reference:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d10.html#1020197

IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

0 Helpful

ns
Level 1
Level 1
In response to comm

‎04-29-2003 03:05 AM

So as I understand it, it is not possible to use a MAC ACL as a filter for any kind of traffic except Appletalk, DECnet etc. like you could do with port security? Which I can't use... So I have to use IPs... hmmm. Ok. I'll look for another solution. Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents